We had a lively round table debate about “how much security is enough?” during Networking Field Day 11. It’s certainly not a pure networking question which some in the room debated is no longer, or perhaps has never been, the network engineer’s responsibility, but a large number of networking professionals these days are still charged with keeping the digital landscape clear of threats within their employers networks.

The argument put forth was essentially that it is cheaper for companies to take the data breach hit than feed the ever growing IT security budgets because there are no penalties or little downsides for the many business that are involved in what has become a daily occurrence of customer and/or credit card data theft from a resulting data breach. Greg suggests that companies might be better suited investing in a good public relations firm to help manage any public crisis that might arise. I wouldn’t agree that there aren’t any downsides although I would reluctantly agree that large businesses appear to be emerging relatively unscathed from these incidents. The emergence of data breach insurance, also known as cyber liability insurance, gives additional credence that large business look at security and data breaches as a simple math problems.

In short the financial penalty for losing your customer data doesn’t justify the IT security spend needed to actually sure the the data. So it’s cheaper for large businesses to essentially take the financial hit for a data breach rather than spend the considerable resources need to secure the data, application or solution.

There’s certainly validity to the overall point that there’s little motivation for large businesses to spend significant resources on overall IT security. In an article entitled, “Why companies have little incentive to invest in cybersecurity” by Benjamin Dean, Benjamin provides numerous facts and supporting evidence to suggest that there’s little motivation for large businesses to heavily invest in protecting customer information. Benjamin provides data from both the Target and Home Depot breaches that supports the argument and ultimately ponders if additional governmental oversight will be needed to close the loop.

I would counter with this point, when has any large business spent any more than it absolutely needed on anything. I can’t tell you how often I’ve stood in front of a budget committee and been told that I’ll just need to make do with the capital or operating funds that I have available no matter the strategic importance to the business operation or ROI.

What do you think?

Is additional government oversight needed to get large business to take more responsibility?